← Back to Packages
Basic

Package 1: Attack Surface Discovery/Mapping

Comprehensive attack surface discovery and infrastructure mapping

Overview

Package 1 provides a foundational security assessment focused on discovering and mapping your organization's attack surface. This comprehensive service identifies all exposed assets, network infrastructure, and potential entry points that could be targeted by attackers.

Key Features

Comprehensive Attack Surface Discovery

Our advanced reconnaissance system employs 22 unique methodologies to identify all publicly accessible assets, including:

  • Web applications and APIs
  • Network services and ports
  • Cloud infrastructure components
  • Third-party integrations and dependencies
  • Subdomain enumeration across multiple data sources
  • Certificate transparency log analysis
  • Historical DNS record discovery
  • Code repository intelligence gathering

Passive, Semi-Active & Active Enumeration

Package 1 includes three levels of enumeration with different detection profiles:

  • Passive Enumeration (12 methodologies): True passive discovery using public databases, certificate transparency logs, search engines, security intelligence APIs, historical DNS databases, code repositories, and web archives. No direct interaction with target infrastructure - completely undetectable and safe.
  • Semi-Active Enumeration (6 methodologies): Light-touch techniques that make HTTP/HTTPS requests to target domains to analyze JavaScript files, CSS files, sitemaps, SSL certificates, HTTP headers, and document metadata. These generate server logs and can be detected by WAFs, but are typically acceptable for authorized assessments.
  • Fully Active Enumeration (4 methodologies - Optional): Aggressive direct interaction including DNS brute forcing, zone transfer attempts, DNS cache snooping, and port scanning. These methods provide the deepest coverage but are highly detectable. Requires explicit authorization and may incur additional operational costs.

Note: Semi-active techniques (HTTP/HTTPS requests) are included by default as they provide valuable domain discovery from web resources. Fully active enumeration requires explicit authorization and is more resource-intensive. We recommend starting with passive + semi-active enumeration and enabling fully active techniques only when maximum coverage is needed.

Network Mapping

Detailed mapping of your network infrastructure provides visibility into:

  • Network topology and architecture
  • IP address ranges and CIDR blocks
  • DNS configuration and records
  • Load balancers and CDN endpoints
  • Geographic distribution of assets

Infrastructure Visibility

Gain complete visibility into your infrastructure with:

  • Asset inventory and cataloging
  • Technology stack identification
  • Service dependency mapping
  • Configuration analysis
  • Security posture baseline

Initial Vulnerability Assessment

Basic vulnerability identification including:

  • Common misconfigurations
  • Exposed sensitive information
  • Outdated software versions
  • Weak security headers
  • Initial risk prioritization

Detailed Reconnaissance Techniques

Our multi-layered approach combines 22 unique methodologies organized into three categories based on detection profile:

Passive Techniques (12 Methodologies)

No direct interaction with target infrastructure - completely undetectable

  • 1. Certificate Transparency Log Analysis - Querying public CT logs (crt.sh, Certspotter, Censys Certificates API) for certificate-issued domains
  • 2. Search Engine Intelligence - Leveraging search engines (Google CSE, Brave Search) to discover domain mentions
  • 3. Security Intelligence Database Queries - Querying threat intelligence platforms (VirusTotal, Shodan, Censys Hosts) for hostname data
  • 4. Historical DNS Database Queries - Accessing passive DNS databases (ViewDNS, CIRCL, HackerTarget, DNSDumpster, Netcraft, ThreatMiner, ThreatCrowd)
  • 5. DNS Enumeration Tools - Specialized tool-based subdomain discovery (Amass, Subfinder, Assetfinder)
  • 6. Code Repository Dorking - Searching code repositories (GitHub, GitLab) for domain references in source code
  • 7. Web Archive Analysis - Mining archived web pages (Wayback Machine) for historical domain data
  • 8. DNS Record Enumeration - Direct DNS queries for MX, NS, TXT, and other record types
  • 9. Reverse DNS (PTR) Lookup - PTR record queries on discovered IP addresses
  • 10. DNS Wildcard Detection - Identifying wildcard DNS configurations via DNS queries
  • 11. Social Media Intelligence - Searching social platforms for domain mentions
  • 12. Reverse DNS Lookups - PTR record queries on discovered IP addresses

Semi-Active Techniques (8 Methodologies)

Makes HTTP/HTTPS requests to target domains - generates server logs, detectable by WAFs

  • 13. JavaScript File Analysis - Extracting domains from JavaScript files via HTTP requests (API endpoints, configs, etc.)
  • 14. CSS File Analysis - Extracting domains from CSS files via HTTP requests (CDN links, asset URLs)
  • 15. Sitemap/Robots.txt Analysis - Parsing sitemaps and robots.txt files via HTTP requests
  • 16. SSL Certificate Direct Analysis - Establishing TLS connections to extract domains from live SSL certificates
  • 17. HTTP Header Analysis - Extracting domains from HTTP response headers via direct requests
  • 18. Document Metadata Analysis - Extracting domains from document directories via HTTP requests
  • 19. Favicon Hashing - Downloading favicon files via HTTP, hashing them, then searching Shodan for matches
  • 20. Email Header Analysis - Extracting domains from email contact pages via HTTP requests

Fully Active Techniques (4 Methodologies - Optional)

Aggressive direct interaction - highly detectable, requires explicit authorization

  • 21. DNS Brute Force - Systematically querying DNS with wordlist-based subdomain guesses (dnsx, massdns)
  • 22. Zone Transfer (AXFR) - Attempting DNS zone transfers to retrieve all DNS records (dig)
  • 23. DNS Cache Snooping - Querying DNS resolvers' cache to discover previously queried domains
  • 24. Port Scanning - Scanning ports and extracting hostnames from service banners

Detection Profile Summary

  • Passive (12): Zero detection risk - no target interaction
  • Semi-Active (8): Low-medium detection risk - HTTP requests visible in logs
  • Fully Active (4): High detection risk - aggressive probing, requires authorization

Domain Analysis

Package 1 focuses on comprehensive discovery and mapping without deep vulnerability scanning. Domain scanning limits apply starting from Package 2.

Deliverables

  • Comprehensive attack surface report
  • Network topology diagrams
  • Asset inventory documentation
  • Initial vulnerability findings
  • Recommendations for improvement

Use Cases

Package 1 is ideal for organizations that need to:

  • Understand their complete attack surface
  • Establish a security baseline
  • Identify unknown or forgotten assets
  • Prepare for more advanced security assessments
  • Comply with security audit requirements
Get Started